Its The End Of The World As We Know It: Why HTML Encoded e-Mail Is A Terrible Idea

Why was incorporating HTML into email such a bad idea? And what are the solutions to the problems that have been created? As discussed by Kyle Cassidy and Joseph Dries, there are a few programs that will display only innocuous HTML, not display anything potentially dangerous (such as downloading images from the outside world).

In December of 1874, Mark Twain bought a typewriter and wrote TomSawyer on it. He submitted the first typewritten manuscript to his
publisher, who accepted it with glee, despite the fact that the typewriter had
only uppercase letters. His publisher understood what he was onto, and Tom
Sawyer did well enough that we still read it today. Since time
immemorial, the English-speaking people have been able to express themselves
with 26 letters and a dozen or so pieces of punctuation. So it comes as no
surprise that in 1982, when Internet email standards were first written down, it
was decided that 128 characters would be enough for people to get their point
across. (The use of "quoted printable" has upped that number to 256 to
include special characters from non-English alphabets.)

It was sometime around 1994 when Microsoft decided that it was important for
people to be able to send crazy fonts and formatting in their electronic mail
messages when they incorporated HTML compatibility into their email readers. In
fact, Microsoft thinks that it's so important that it includes a bunch of
silly HTML stationary with copies of Outlook, its email program. This lead the
way to the same people sending the same email, but in 30-point blue text on a
green background. Anybody looking at the state of the WWW would realize that
it's insane to let people format the colors of their email.

More Reasons Why HTML Email Is Evil

Apart from simple aesthetics, there are a number of reasons why incorporating
HTML into email was a Bad Idea.

Web Bugs

Links to images (typically 1 x 1 invisible GIFS) or to any remote document
can be used to track when users open an email message. Worse, the user's
email address can be encoded as part of the URL to verify and validate the email
addresses.

Active Scripting

It's possible that scripts embedded in HTML mail messages will run
without warning in some email programs. This is especially problematic in
Microsoft Outlook Express and Outlook 98/2000, in which Active Scripting in the
Internet security zone is enabled by default. You can change this by setting
Outlook to use the Restricted site zone and then setting the Restricted site
zone to disable Active Scripting, or (better yet) you can go to the Microsoft
Office Update site
(http://office.microsoft.com/),
and apply all of the Office and Outlook updates that are available.

JavaScript Scripting

The first HTML-capable clients were concerned mostly with properly displaying
the HTML included in your email messages. This lead to many instances in which
emails could automatically and without notice start emailing messages from your
clientsimply by viewing an email message. Most mail clients available
today either automatically disable JavaScript in the mail client, or allow you
to choose whether or not you want it enabled or disabled. I have yet to be
convinced of a good reason to have JavaScript enabled in your mail client,
however.

Sending Links to Large but Invisible Files

Aside from sending a tiny unnoticed image, a malicious attacker can also use
HTML to overload a network by including a link to a huge file (<img
src="http://foo.bar/500meg-image.jpg">) and then resize it
with a "width=1 height=1" tag so that it doesn't appear
in the body of the mail message.

Possible Abuse by Click-thru Banner Advertisers

Another problem can occur when producing click-thrus from banner ads. To do
this, a malicious user enters into a deal with a banner-ad site, which will pay
him one cent for each time someone accesses their IP address from a banner ad
click-thru. He then assembles dozens or even hundreds of URLs to banner ads, and
spams them out to millions of users. Each time the message is opened by an
unsuspecting user, dozens of click-thrus deposit pennies in the blackhat's
Swiss bank account.

Malicious Messages Difficult to Delete

One nefarious thing about HTML messages containing malicious code is that
it's difficult to even delete themsimply selecting the message causes
the code to execute again in the default configuration of most of today's
mail readers. Almost no one uses a mail client that doesn't have some sort
of preview pane, thus forcing the mail client to display images or execute
embedded scripts. Deleting the problematic email often requires the removal of
the "infected" machine from the network, so as to not spread the
damage.